ABSTRACT
Web 2.0 applications allow individuals to manage their content online and to share it with other users and services on the Web. Such sharing requires access control to be put in place. Existing access control solutions, however, are unsatisfactory as they do not offer the functionality that users need in the open and user-driven Web environment. Additionally, such solutions are often custom-built and require substantial development effort, or use existing frameworks that provide benefits to developers only.
New proposals such as User-Managed Access (UMA) show a promising solution to authorization for Web 2.0 applications. UMA puts the end user in charge of assigning access rights to Web resources. It allows users to share data more selectively using centralized authorization systems which make access decisions based on user instructions. In this paper, we present the UMA/j framework which implements the UMA protocol and allows users of Web applications to use their preferred authorization mechanisms. It also supports developers in building access control for their Web 2.0 applications by providing ready-to-use components that can be integrated with minimum effort.
- JSR-154: Java Servlet 2.5 Specification. http://jcp.org/en/jsr/detail?id=154. Accessed 29/09/2010.Google Scholar
- OAuth leeloo. http://leeloo.smartam.net/. Accessed 29/09/2010.Google Scholar
- OpenSSO Project. https://opensso.dev.java.net/. Accessed 29/09/2010.Google Scholar
- OWASP Enterprise Security API. http://www.owasp.org/. Accessed 29/09/2010.Google Scholar
- Spring Security. http://static.springsource.org/spring-security. Accessed 29/09/2010.Google Scholar
- UMA 1.0 Core Protocol. http://kantarainitiative.org/confluence/display/uma/UMA+1.0+Core+Protocol. Accessed 29/09/2010.Google Scholar
- UMA Scenarios and Use Cases. http://kantarainitiative.org/confluence/display/uma/UMA+Scenarios+and+Use+Cases. Accessed 29/09/2010.Google Scholar
- OASIS eXtensible Access Control Markup Language (XACML). http://www.oasis-open.org/committees/xacml/, 2005. Version 2.0.Google Scholar
- Simple Web Token. http://oauth-wrap-wg.googlegroups.com/web/SWT-v0.9.5.1.pdf, November 2009. Version 0.9.5.1.Google Scholar
- Extensible Resource Descriptor (XRD) Version 1.0. http://docs.oasis-open.org/xri/xrd/v1.0/xrd-1.0.html July 2010. Committee Specification 01Google Scholar
- The OAuth 2.0 Protocol. http://tools.ietf.org/html/draft-ietf-oauth-v2, June 2010. (Work in Progress). Draft 09.Google Scholar
- A. Cavoukian. Privacy in the clouds. Identity in the Information Society, 1:89--108, December 2008.Google ScholarCross Ref
- E. Hammer-Lahav. The OAuth 1.0 Protocol. RFC 5849 (Draft Standard), 2010.Google Scholar
- E. Hammer-Lahav. Web Host Metadata. http://tools.ietf.org/html/draft-hammer-hostmeta, June 2010. (Work in Progress). Draft 13.Google Scholar
- M. Hart, R. Johnson, and A. Stent. More content - less control: Access control in the web 2.0. In WOSP '08: Proc. of the First Workshop on Online Social Networks, New York, NY, USA, 2008.Google Scholar
- M. P. Machulak, D. Catalano, E. L. Maler, and A. van Moorsel. User-Managed Access to Web Resources. In DIM '10: Proc. of the 6th ACM Workshop on Digital Identity Management, New York, NY, USA, 2010. Google ScholarDigital Library
- M. P. Machulak and A. van Moorsel. Architecture and Protocol for User-Controlled Access Management in Web 2.0 Applications. In ICDCS-SPCC 2010: Proc. of the 1st ICDCS Workshop on Security and Privacy in Cloud Computing, Genoa, Italy, June 2010. Google ScholarDigital Library
- M. L. Mazurek et al. Access control for home data sharing: Attitudes, needs and practices. In CHI '10: Proc. of the 28th Intl. Conf. on Human Factors in Computing Systems, New York, NY, USA, 2010. Google ScholarDigital Library
- C. Neuman, S. Hartman, and K. Raeburn. The Kerberos Network Authentication Service (V5). RFC 4120 (Draft Standard), 2005.Google Scholar
- M. Nottingham and E. Hammer-Lahav. Defining Well-Known Uniform Resource Identifiers (URIs). RFC 5785 (Draft Standard), 2010.Google Scholar
- Scholz, C. and Machulak, M. P. and Maler, E. L. OAuth Dynamic Client Registration Protocol. http://tools.ietf.org/html/draft-oauth-dyn-reg. Accessed 29/09/2010.Google Scholar
Index Terms
- Design and implementation of user-managed access framework for web 2.0 applications
Recommendations
User-managed access to web resources
DIM '10: Proceedings of the 6th ACM workshop on Digital identity managementWeb 2.0 technologies have made it possible to migrate traditional desktop applications to the Web, resulting in a rich and dynamic user experience and in expanded functionality. Individuals can create and manage their content online, and they are not ...
An Evaluation of Role Based Access Control Towards Easier Management Compared to Tight Security
ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed SystemsRole-based access control (RBAC) is a widely-used protocol to design and build an access control for providing the system security regarding authorization. Even though in the context of internet resources access, the authentication and access control ...
Roles-based Access Control Modeling and Testing for Web Applications
WCSE '12: Proceedings of the 2012 Third World Congress on Software EngineeringWeb applications are widely used in people's everyday life. They have permeated financial sectors, banking sectors, e-business and online shopping. Usually, different users have different permissions on these applications. Additionally, role-based ...
Comments